A sophisticated cyberattack targeted a telecommunications provider in the Middle East using a custom tool that hid malicious commands inside image files sent via email.

Who was behind the attack?

The attack was attributed to OilRig, a known Iranian-linked cyber group with a history of espionage campaigns.

What was the goal of the attackers?

The attackers aimed to gain long-term access, steal sensitive data, and remain undetected within the victim's systems.

What kind of organizations were targeted?

A telecommunications company in the Middle East was the primary target, consistent with past OilRig interest in critical infrastructure.

How did the attack work?

The attackers used emails to send and receive image files containing hidden commands. These files communicated with a custom backdoor that could execute commands and steal files, all while avoiding detection.

Why are telecom companies attractive targets?

Telecommunications firms manage sensitive communication infrastructure and data, making them prime targets for espionage and surveillance.

What can organizations do to protect themselves?

They should closely monitor email activity, especially involving inbox rules and image attachments, inspect DNS and HTTP traffic, and train staff to recognize suspicious behavior.

Is this a widespread threat or a targeted one?

This attack appears highly targeted, using custom tools and infrastructure focused on a specific region and industry.

Threats Feed|OilRig|Last Updated 10/04/2025|AuthorCertfa Radar|Publish Date22/07/2020

OilRig's Steganography-Based C2 Channel Targets Middle Eastern Telecoms

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Downloader,Malware
Attack Complexity: High
Threat Risk: Low Impact/High Probability

Threat Overview

OilRig targeted a telecommunications organization in the Middle East using a variant of their RDAT tool, featuring a novel email-based command and control (C2) channel that employs steganography. This method hides commands and data within bitmap images attached to emails, making detection difficult. The attack involved custom Mimikatz tools for credential dumping, Bitvise for SSH tunneling, and PowerShell downloaders. RDAT has been under development since 2017, evolving to include DNS tunneling and Exchange Web Services (EWS) for C2 communications. The use of steganographic images in emails represents a sophisticated evasion technique.

Reference and Credit: Palo Alto Networks - July 2020

OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory

Detected Targets

Type	Description	Confidence
Sector	Telecommunication	Verified
Region	United Arab Emirates	Medium
Region	Middle East Countries	Verified

Extracted IOCs

acrlee[.]com
allsecpackupdater[.]com
intelligent-finance[.]site
kizlarsoroyur[.]com
kopilkaorukov[.]com
oudax[.]com
rdmsi[.]com
rsshay[.]com
sharjatv[.]com
tacsent[.]com
tprs-servers[.]eu
wwmal[.]com
apps.vvvnews[.]com
digi.shanx[.]icu
sharjatv.comwwmal[.]com
h76y@acrlee[.]com
koko@acrlee[.]com
476b40796be68a5ee349677274e438aeda3817f99ba9832172d81a2c64b0d4ae
4ea6da6b35c4cdc6043c3b93bd6b61ea225fd5e1ec072330cb746104d0b0a4ec
55282007716b2b987a84a790eb1c9867e23ed8b5b89ef1a836cbedaf32982358
6322cacf839b9c863f09c8ad9fd0e091501c9ba354730ab4809bb4c076610006
7395a3ada245df6c8ff1d66fcb54b96ae12961d5fd9b6a57c43a3e7ab83f3cc2
78584dadde1489a5dca0e307318b3d2d49e39eb3987de52e288f9882527078d5
7b5042d3f0e9f077ef2b1a55b5fffab9f07cc856622bf79d56fc752e4dc04b28
8120849fbe85179a16882dd1a12a09fdd3ff97e30c3dfe52b43dd2ba7ed33c2a
8f943bc5b20517fea08b2d0acc9afe8990703e9d4f7015b98489703ca51da7eb
acb50b02ab0ca846025e7ad6c795a80dc6f61c4426704d0f1dd7e195143f5323
ba380e589261781898b1a54c2889f3360db09c61b9155607d7b4d11fcd85bd9d
bcdb63b3520e34992f292bf9a38498f49a9ca045b7b40caab5302c76ca10f035
de3f1cc2d4aac54fbdebd5bd05c9df59b938eb79bda427ae26dedef4309c55a9
e53cc5e62ba15e43877ca2fc1bee16061b4468545d5cc1515cb38000e22dd060
ee32bde60d1175709fde6869daf9c63cd3227155e37f06d45a27a2f45818a3dc
f42c2b40574dc837b33c1012f7b6f41fcccc5ebf740a2b0af64e2c530418e9e0
fcabb86331cd5e2fa9edb53c4282dfcb16cc3d2cae85aabf1ee3c0c0007e508c

download

Tip: 34 related IOCs (0 IP, 15 domain, 0 URL, 2 email, 17 file hash) to this threat have been found.

FAQs

OilRig's Stealth Attack Using Steganography and Email

: A sophisticated cyberattack targeted a telecommunications provider in the Middle East using a custom tool that hid malicious commands inside image files sent via email.
: The attack was attributed to OilRig, a known Iranian-linked cyber group with a history of espionage campaigns.
: The attackers aimed to gain long-term access, steal sensitive data, and remain undetected within the victim's systems.
: A telecommunications company in the Middle East was the primary target, consistent with past OilRig interest in critical infrastructure.
: The attackers used emails to send and receive image files containing hidden commands. These files communicated with a custom backdoor that could execute commands and steal files, all while avoiding detection.
: Telecommunications firms manage sensitive communication infrastructure and data, making them prime targets for espionage and surveillance.
: They should closely monitor email activity, especially involving inbox rules and image attachments, inspect DNS and HTTP traffic, and train staff to recognize suspicious behavior.
: This attack appears highly targeted, using custom tools and infrastructure focused on a specific region and industry.

About Affiliation

OilRig

Associate threats